DOI

Data loss, i.e. the unauthorized/unwanted disclosure of data, is a major threat for modern organizations. Data Loss Protection (DLP) solutions in use nowadays, either employ patterns of known attacks (signature-based) or try to find deviations from normal behavior (anomaly-based). While signature-based solutions provide accurate identification of known attacks and, thus, are suitable for the prevention of these attacks, they cannot cope with unknown attacks, nor with attackers who follow unusual paths (like those known only to insiders) to carry out their attack. On the other hand, anomaly-based solutions can find unknown attacks but typically have a high false positive rate, limiting their applicability to the detection of suspicious activities. In this paper, we propose a hybrid DLP framework that combines signature-based and anomaly-based solutions, enabling both detection and prevention. The framework uses an anomaly-based engine that automatically learns a model of normal user behavior, allowing it to flag when insiders carry out anomalous transactions. Typically, anomaly-based solutions stop at this stage. Our framework goes further in that it exploits an operator's feedback on alerts to automatically build and update signatures of attacks that are used to timely block undesired transactions before they can cause any damage.

Original languageEnglish
Title of host publicationProceedings - 2016 IEEE Symposium on Security and Privacy Workshops, SPW 2016
PublisherIEEE
Pages324-333
Number of pages10
ISBN (Electronic)978-1-5090-3690-5
ISBN (Print)978-1-5090-3691-2
DOIs
StatePublished - 1 Aug 2016
Externally publishedYes
Event2016 IEEE Symposium on Security and Privacy Workshops, SPW 2016 - San Jose, United States
Duration: 23 May 201625 May 2016

Conference

Conference2016 IEEE Symposium on Security and Privacy Workshops, SPW 2016
CountryUnited States
CitySan Jose
Period23/05/1625/05/16

    Research areas

  • data loss, detection, prevention, white-box anomaly detection

ID: 32864140